Controlled Environments - what are they?
An Anology
From a Linux workstation enter the following commands
ldd /bin/bash
ldd /bin/ls
You will see that there are some shared files such as libdl.so and libc.so
We can create a jailed environment to get a better understanding of what a container actually is.
If we are going to deploy these two applications to their own containers, we must only supply a limited set of the resources that they need to run. We don't need to deploy libtinfo.so for the ls command.
Look carefully at the output from ldd /bin/bash, you will see that the shared files are located in two directories
- /lib/x86_64-linux-gnu
- /lib64
In your home folder create a folder called jail
In the jail folder create the subfolders for bash dependencies shown above. Now copy bash and its dependencies into the jail subfolders. So you should have created the following
Navigate into the jail folder using this command chroot ./jail/ /bash. Then execute the ls command - it will fail.
The ls command fails because we created an environment only suitable for the bash command. This is an example what containerisation provides.
info
This is not a perfect model because certain systems commands are still available that reveal more than we need to know in this jail. E.g. set, and ipcs both work, giving us glimpses into the outer environment.
To prove that is a contained environment only suitable for bash, exit out of this jail by typing exit.
Copy the ls command into the jail folder using cp /bin/ls ./jail
Enter back into the jail using chroot ./jail/ /bash. Execute ls as follows ./ls - again it will fail but this time you should receive an error indicating that a shared file is missing.
See what happens if you copy the tree command into the jail. Before doing so, ldd /bin/tree to see if there are any other libraries that should added to the jail also.
Privileges
we should also be aware that processes may execute in kernel mode with elevated privileges. An example of this might be where a process acts as a privileged user and then has access to to privileged ports (those below 1024), or the process has access to certain kernel facilities such as the ability to create device such as a block device (found in /dev), these can be created by simply knowing their major and minor device number and the device type (it would do this through the mknode command), meaning that the process could access the hardware of the system. we must be able to disable this in contained environment.
You would use the capabilities command to control such behaviour.
You could also cgroups to control hardware restrictions.
Docker images are isolated from each other using
- Namespaces
- CGroups
- SELinux